10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity

Risk Management and Strategy

Management of cybersecurity risks is a component of the Company’s overall risk management strategy. The Company relies on information technology, communication networks, enterprise applications, accounting and financial platforms, and related systems in the operation of its business. The Company’s operations also rely on the secure collection, storage, transmission and processing of proprietary, confidential and sensitive data. The Company’s cybersecurity risk management strategy is designed to support the Company in identifying, protecting, detecting, responding to, and recovering from cybersecurity threats and incidents with the intention of protecting the confidentiality, integrity, and availability of such systems and data.

The Company’s cybersecurity program is managed by a dedicated Director of Information Technology. The Company’s Director of IT has more than 25 years of experience in the design and implementation of IT infrastructure, including cybersecurity features, and holds a variety of relevant certifications. The Company has also engaged a third-party IT expert to assist the Company’s in-house IT function in managing cybersecurity risks and evaluating, monitoring and testing the Company’s cybersecurity program.

The Company has implemented and maintains various information security processes designed to identify, assess and manage risks from cybersecurity threats to its computer networks, communication systems, hardware and software and its critical data and confidential information. These include conducting scans of the threat environment and conducting vulnerability assessments. The Company has also implemented and maintains various technical and physical measures to mitigate material risks from cybersecurity threats including incident detection and response, disaster recovery and business continuity plans, internal controls within the Company’s accounting and financial reporting functions, data encryption, network security and access controls, including multi-factor authentication, as well as physical security. The Company also conducts cybersecurity awareness training annually for employees and provides cybersecurity updates during regularly scheduled meetings, that occur at a minimum monthly, throughout the year. These updates are designed to educate employees and to raise awareness of cybersecurity threats to reduce vulnerability as well as to encourage consideration of cybersecurity risks across all Company functions.

Given the ever-changing cyber risk landscape the Company continues to evolve its oversight process. During the year ended December 31, 2023, the Company conducted an assessment in accordance with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and is in the process of implementing additional policies and procedures to further enhance the Company’s cybersecurity practices.

The Company conducts annual reviews of third-party hosted applications where sensitive Company data is shared. The owners of such applications are required to document user access reviews at least annually and provide the Company with a System and Organization Controls (SOC) 1 report. The Company’s assessment of risks associated with the use of third-party providers is part of its overall cybersecurity risk management strategy.

The Company is not aware of any risks from cybersecurity threats, including any cybersecurity incidents, which have materially affected or are reasonably likely to materially affect the Company, including its business, results of operations or financial condition. Refer to Item 1A. Risk Factors in this annual report on Form 10-K, specifically “The Company faces risks associated with security breaches through cyber attacks, cyber intrusions or otherwise, as well as other significant disruptions of its information technology (“IT”) networks and related systems,” for additional discussion about cybersecurity-related risks.


The Company’s board of directors has overall responsibility for the Company’s strategy and risk management, including material risks related to cybersecurity threats. The audit committee provides oversight of the Companys cybersecurity, information security and technology risk exposures, including the steps management has taken to identify, assess, monitor and control cybersecurity risks.

The day-to-day management of the Company’s cybersecurity program is led by a dedicated Director of IT. The Director of IT provides regular updates to the Company’s senior management team through briefings on cybersecurity matters, including potential cybersecurity threats and incidents. This ensures that the highest levels of management are made aware of potential cybersecurity threats and any material cybersecurity matters are promptly escalated to the audit committee and Company’s board of directors if necessary.

The Director of IT and senior management team provide quarterly reports, or more frequently as necessary, to the audit committee. These reports include updates on the Company’s cybersecurity strategy, the status of projects to strengthen the Company’s cybersecurity systems, and the emerging threat landscape. The audit committee reports to the Company’s board of directors quarterly, or more frequently as necessary, regarding its activities, including those related to cybersecurity.